The Solarwinds breach at the end of 2020 is an event that we won't truly understand the breadth and depth of for some time - if ever. But already, several discussions we've been having in the abstract for years have become very concrete. Firstly, the systems we use to develop, code, build and deploy our code are all essential production systems - and should be treated as such. And second, securing the software supply chain is one of the most underrated aspects of security and is often overlooked.
All software today is built with dependencies. The vast availability of incredible open source tooling has allowed all of us to stand on the shoulders of giants and build software better and faster than we could have ever dreamed, even 5 or 10 years ago. However, a discussion of these dependencies - both explicit and transient - as links in the software supply "chain" couldn't be more accurate. And the truth is, a chain is only as strong as its weakest link.
In this talk, we'll examine what is known of the complexities and sophisticated tradecraft from the Solarwinds / Sunburst attack. But perhaps more importantly, we'll delve into the simple, practical security measures that were missed, allowing the attack to get a foothold in the first place.